Vulnerability in Apache Kylin
CVE-2020-1937
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
EPSS: 0.027 (83.7th percentile) — read the EPSS interpretation.
Affected products
- Apache Kylin — versions ApacheKylin 2.3.0 to 2.3.2, 2.4.0 to 2.4.1, 2.5.0 to 2.5.2
Public proof-of-concept exploits
References
- [kylin-user] 20200223 [CVE-2020-1937] Apache Kylin SQL injection vulnerability (mailing-list, x_refsource_MLIST)
- [kylin-commits] 20200713 svn commit: r1879845 - in /kylin/site: docs/security.html feed.xml (mailing-list, x_refsource_MLIST)
- [kylin-commits] 20200715 svn commit: r1879879 - in /kylin/site: docs/security.html feed.xml (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-1937?
- CVE-2020-1937 is a vulnerability in Apache Kylin. Published 2020-02-24.
- Is CVE-2020-1937 known to be exploited?
- 6 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.